Home

PGP signatures

Several archives distributed onto this site are cryptographically signed
using
OpenPGP-compliant signatures. Everyone is encouraged to check the integrity
of the downloaded content by verifying its corresponding signature. The signing
and verification process ensures that the downloaded files were not modified or
tampered since their creation and thus prevents anyone to use corrupted
files.

On GNU/Linux, the most common way for verifying the PGP signature is to use
GnuPG. First ensure that GnuPG is installed
on your system. Then download the archive and its PGP signature and use the
gpg2 command to check the integrity of the archive against its
signature.

This means that you do not have the public part of the PGP key used to sign
this archive. In the previous example the key identifier is
7322B68F7896C455. Use gpg2 to download this key from
the PGP keyserver.

Note that GnuPG warns that the key is not certified. In other words you
cannot be sure that the key used to sign the archive really belongs to the
owner. The best option is to physically meet the actual owner and ask for him
about the key validity. More simply, but also less secure, you can review the
list of signatures of the key with gpg2 --list-sigs and then make a
decision whether you trust that key or
not.

On Windows, you can use the GPG4Win
tool to verify the archive signature. The process is roughly the same that on
GNU/Linux: you first have to import the public key used to sign the archive
before verifying its integrity and checking that the imported key really
belongs to the owner.